server | Matthew Daly's Bloghttps://matthewdaly.co.uk/blog/categories/server/
server | I'm a web developer in Norfolk. This is my blog...Sun, 13 Jan 2019 20:21:39 GMThttp://blogs.law.harvard.edu/tech/rssgrunt-blogbuilder https://github.com/matthewbdaly/grunt-blogbuilderMatthew Daly 2019https://matthewdaly.co.uk/blog/2011/05/29/hacked/
https://matthewdaly.co.uk/blog/2011/05/29/hacked/Sun, 29 May 2011 13:53:13 GMTHad a rather unfortunate incident last month - someone hacked into my Pogoplug mail server, and managed to get their mitts on my .fetchmailrc, which had all the login details for several email accounts. They promptly began sending spam out using my Gmail account.

Naturally this meant I spent ages running round like a headless chicken trying to lock them out - when I first noticed that they’d been sending emails directly from my mail server, I logged into it via SSH and shut it down, then changed the passwords on all my email accounts.

Thinking logically, there were four services that I had forwarded ports to the server for - SSH, Apache, Postfix and Dovecot. Now, I was running SSH on a non-standard port, had disabled root access, and didn’t allow password authentication (SSH keys only). Also, I had enabled DenyHosts, so I’m fairly confident SSH was not the point of entry.

So that leaves either Apache, Postfix or Dovecot. I had noticed in the error logs a lot of characters prefixed with backslashes, and wondered if someone was trying some kind of shellcode injection, and to be safe I had added new iptables rules to blacklist the IP addresses responsible. I had done what I could to secure Apache, but I can’t rule it out as the application that was compromised. I went through the server logs, but without finding anything - I’m guessing whoever was responsible deleted the appropriate entries in the log files. I couldn’t be sure that the server could still be trusted, so I did a fresh install, and have disabled port forwarding on my router.

This has certainly made me much more cautious and suspicious about security, which I guess can’t be a bad thing. Even beforehand, I found it pretty scary to see the sheer number of script kiddies who will try to hack into any server on the Internet.

]]>https://matthewdaly.co.uk/blog/2011/02/21/more-on-my-mini-server/
https://matthewdaly.co.uk/blog/2011/02/21/more-on-my-mini-server/Mon, 21 Feb 2011 22:26:13 GMTWhile I was very pleased to get a proper Linux distro working on my Pogoplug, the Arch-based Plugbox Linux was never really my cup of tea. While it’s a fine distro, I always felt that Debian would have been a much better fit. Partly this is because Debian has established a strong history of being a solid, stable distro that would carry on working no matter what, whereas Arch is more bleeding-edge. Also, Debian has a colossal repository that included a lot of software I wanted that wasn’t in the Arch repositories and I couldn’t get to install or compile from source, such as procmail and Squirrelmail. Debian also has strong support for many different processor architectures, including armel. Finally, being an Ubuntu user on the desktop, Debian is a distro that feels much more familiar to me.

So I eventually gave up on running Plugbox Linux and took the opportunity of the release of Debian Squeeze to install it on my Pogoplug, thanks to this tutorial. With that done, I set about adding my favourite applications. Byobu is a really handy tool that makes GNU screen significantly more intuitive and useful, so that’s always one of the first things to go on, and one that I’d really missed in Plugbox. I’ve now gotten my mail server working again, with the addition of procmail as my mail filter and Squirrelmail to give me a web interface. I’ve also set up Leafnode on there as I’d really like to learn more about Usenet, and I’m beginning to get the hang of using slrn to read it.

It’s amazing how much running my own server has taught me about security. I was staggered to see the sheer number of attempts by script kiddies to connect via SSH to my Pogoplug, and it really made me start thinking about security in a way I’d never bothered beforehand. I’ve installed denyhosts to block atttempts to brute-force the password, and made sure I chose a good password. I’ve also set OpenSSH to listen on a different port, which should hopefully decrease the number of login attempts substantially (I presume most of these were just script kiddies scanning large blocks of IP addresses looking for hosts with port 22 open), and have disabled root login (as at right now my login is the only one that is allowed via SSH, so if anyone does bother to do a more thorough scan and try to connect to the port I’m running SSH on, they’ll need to guess my username AND password, and do so before denyhosts kicks them off - a pretty tall order).

The whole concept of “plug servers” is one I really like, and my experience with the Pogoplug has been extremely good - it’s an inexpensive and extremely hackable device that has been an absolute pleasure to use.